Encryption at REST with an External KMS in MarkLogic
03 June 2021 04:26 PM
Encryption at REST with an external Key Management System (KMS), or keystore, offers additional security for your encryption keys, along with key management capabilities like automatic key rotation, key revocation, and key deletion.
If you want the ability to perform these tasks, you will need an external KMS.
MarkLogic Encryption at REST supports the Key Managment Interoperability Protocol (KMIP) compliant KMS servers and Amazon's KMS.
Configuring Encryption at REST with an external KMS
The following points should be taken into consideration when configuring Encryption at REST along with choosing and sizing an external KMS:
- The KMS system should be able to generate KMIP 1.2 compatible keys.
- If the KMS is unable to generate the keys, a custom process to generate the keys must be developed using a 3rd party tool (such as PyKMIP)
- Memory consumption patterns will be different when encryption is used.
- To access unencrypted forest data MarkLogic normally uses memory-mapped files. When files are encrypted, MarkLogic instead decrypts them to anonymous memory.
- As a result, encrypted MarkLogic forests use more anonymous memory and less file-mapped memory than unencrypted forests.
- Without encryption at rest, when available memory is low, the operating system can throw out file pages from the working set and later page them in directly from files. But with encryption at rest, when memory is low, the operating system must write them to swap.
- The KMS has to be sized appropriately to handle peak requests of the systems that will be using it.
- For MarkLogic the number of requests will depend on the encryption level, ingest rate, and server workload.
- MarkLogic supports encryption at any or all of the following levels: Cluster, Database, Log and Configuration levels.
- For MarkLogic the peak requests are typically when a cluster first start up, where the number of requests will be approximately 3X the number of encrypted stands.
- During normal operation, we observed an average of 1 query to the KMS for every 100MB ingested (accounting for Journal Files and Labels).
- The KMS does not need to be sized based on the number of Transactions Per Second (TPS) on the MarkLogic cluster.
- MarkLogic will cache keys used for encryption for up to one hour, consequently the calls to the KMS are minimal during ingestion.
More details on Encryption at REST can be found in the Encryption section of the MarkLogic Security Guide.